I have set up web filtering using SSO authentication of users with a windows AD server. I wanted to also proxy all HTTPS (SSL) web usage. With that set up, all browsers were giving security certificate errors at any HTTPS site. It was easy to eliminate those errors in Internet Explorer and Google by simply having Astaro generate a Signing CA and importing it in IE internet options. (Google uses IEs settings).
However, simply importing the Astaro ‘s Signing CA would not work in Firefox 5 (not Four, but Firefox Five). I could import the Signing CA, but Firefox 5 would not accept it as a Certificate Authority. Thus, any HTTPS site gave Certificate errors (noting the Astaro Signing CA did not match the website being accessed.)
Google search found only these instructions at the Astaro site here. Since that page status was listed as “outdated” I did not try it.
For any other home users or individuals with a Astaro generated CA, this is how I got Firefox 5 to accept the Astaro HTTPS CA as a Certificate Authority. There were two different methods that worked.
Method 1 (if installing into Firefox 5 on a different PC than the one you are accessing Astaro Web Admin):
1) Downloaded a Signing a CA from Astaro (Web Security > Web Filtering > HTTPS CA) That file will be a PKCS#12 and have a .p12 extension.
2) In Firefox 5 (on a different PC than it was downloaded on), import the CA (Options > Advanced > Encryption > View Certificates > Your Certificates). ( A PKCS#12 CA can not be imported as an authority)
3) After importing the Astaro CA into Firefox, export it as a PEM (.crt extension). Do this in Firefox 5 by going to Options > Advanced > Encryption > View Certificates > Your Certificates, highlight the Astaro CA and click “View.” In the new Firefox 5 window that opens up, click the Details tab. Click export and Save as type “x509 Certificate (PEM)”
4) If you try to import that PEM (.crt) file into Authorities it will fail with a message that “This Certificate Authority is already installed as a certificate authority.” Go to the “Your Certificates” tab and delete the Astaro CA you had previously imported.
5) Go to the Authorities tab and Import the Astaro CA PEM (.crt) file you had exported. You will get a dialogue box with three check boxes. Check all three and import. You will now no longer have any Certificate errors in Firefox 5.
Method 2 (simpler and figured out after above was done).
1) Open up the Web Admin in Firefox 5
.
2) From within the Web Admin page in Firefox 5, downloaded a Signing a CA from Astaro (Web Security > Web Filtering > HTTPS CA) In downloading it select File type as “PEM.” In the dialogue box, check all three boxes and click save.
3) It will not download to a PC. Rather it will install the Astaro Signing CA into the Firefox 5 browser you are in.
4) Export the Astaro Signing CA from that browser. (Options > Advanced > Encryption > View Certificates > Your Certificates > Servers tab). This will export as a PEM (.crt) file.
5) Import into any other Firefox 5 browsers on other PCs from the Authorities tab ((Options > Advanced > Encryption > View Certificates > Authorities).
Hopefully, this will help any other home users who had the same difficulties with SSL proxy browsing with Firefox 5.
The next challenge is to distribute the Astaro Signing CA to Firefox using a windows GPO. I have just started tinkering with FirefoxADM which using startup and logging scripts along with windows custom GPOs.
This thread was automatically locked due to age.